Compliance Guide: Who Is Not a Covered Entity Under HIPAA

Determining who is not a covered entity under HIPAA starts with knowing exactly who is. From there, you can evaluate adjacent organizations—employers, schools, apps, and others—to see when HIPAA does not apply and what alternative rules might. This guide gives you a practical framework to make that call and manage Protected Health Information responsibly.

Define Covered Entities Under HIPAA

Under the HIPAA Privacy Rule and HIPAA Security Rule, covered entities are limited to three categories:

• Health plans, such as group health plans, health insurance issuers, HMOs, Medicare, and Medicaid.
• Health Care Clearinghouses that translate nonstandard health data into standard transaction formats and vice versa.
• Health care providers that transmit health information electronically in connection with standard transactions (for example, electronic billing).

If you do not fit squarely into one of these categories, you are not a covered entity. Covered entities have HIPAA Compliance Obligations for safeguarding PHI and Electronic Protected Health Information, implementing administrative, physical, and technical controls, and following breach notification requirements.

Identify Non-Covered Entities

Many organizations interact with health-related data yet are not covered entities because they are neither health plans, health care clearinghouses, nor qualifying providers:

• Employers in their role as employers (separate from any group health plan they sponsor).
• Life, disability, auto, and workers’ compensation insurers and administrators.
• Schools and school districts handling education records governed by FERPA rather than HIPAA.
• Law enforcement agencies, courts, and many state or municipal agencies not operating a covered health component.
• Consumer wellness apps, fitness trackers, and personal health record tools that do not act for or on behalf of a covered entity.
• Marketing firms, data analytics companies, and personal injury law firms not performing HIPAA-regulated functions.
• Banks and other financial institutions performing standard banking activities.

Some organizations are hybrid entities, meaning only their designated health care components are subject to HIPAA. For example, a university’s hospital may be covered, while the broader university operations are not.

Distinguish Business Associates

Business associates are not covered entities by default, but they become regulated under HIPAA when they perform services for a covered entity involving PHI or Electronic Protected Health Information. Typical business associates include cloud hosting providers, claims processors, billing services, EHR vendors, transcription services, and consultants handling PHI.

When a vendor qualifies as a business associate, the parties must execute Business Associate Agreements. These contracts require safeguards consistent with the HIPAA Security Rule, limit uses and disclosures to the stated purpose, and impose breach reporting duties. If a vendor receives only de-identified data or operates without PHI for a covered entity, it is generally not a business associate.

Understand PHI Handling Exceptions

• De-identified data: Information stripped of identifiers under HIPAA’s de-identification standards is not PHI and falls outside HIPAA.
• Employment records: Information an employer holds as an employer (such as FMLA paperwork or drug tests in personnel files) is not PHI, even if the employer sponsors a covered group health plan.
• Education records: Student health information maintained by an educational institution subject to FERPA is not PHI.
• Permitted disclosures: Covered entities may disclose PHI without authorization in specific circumstances (for example, workers’ compensation, certain public health and law enforcement purposes) under the Privacy Rule. Receipt of such data does not, by itself, convert the recipient into a covered entity.
• Hybrid entities: Only the designated health care components are subject to HIPAA; other organizational units are not.

The key test is whether you are a covered entity or a business associate handling PHI for a covered entity. If not, HIPAA generally does not apply, though other laws might.

Explore Regulatory Implications for Non-Covered Entities

Being a non-covered entity does not mean you can ignore privacy and security. Even without HIPAA Compliance Obligations, you may be governed by other frameworks:

• Federal consumer protection laws, including prohibitions on unfair or deceptive practices (for instance, privacy promises you must honor).
• Health Breach Notification requirements for certain personal health record providers and related services.
• State privacy statutes (such as general consumer privacy acts), health-specific laws, and state data breach notification laws.
• Contractual duties in service agreements, including data protection addenda that mirror HIPAA-like controls.

Practical steps for non-covered entities include data mapping, minimizing collection of sensitive data, implementing strong security for any health-related data, aligning practices with published privacy notices, and avoiding implying HIPAA coverage when it does not apply.

Review Examples of Non-Covered Entities

• Employers (HR departments, supervisors) handling workplace medical information outside the group health plan.
• Life and disability insurers underwriting or administering non-health-plan benefits.
• Workers’ compensation carriers and state workers’ compensation agencies receiving PHI for claims under applicable laws.
• Schools and school districts managing student health records as education records under FERPA.
• Consumer wellness apps, nutrition trackers, and wearable device companies collecting user-entered health data without a Business Associate Agreement.
• Personal injury attorneys and litigation support vendors handling medical records for legal claims.
• Law enforcement agencies and courts obtaining medical information for investigations or proceedings.
• Banks, lenders, and payment processors conducting standard financial operations.
• Marketing and analytics vendors working with de-identified or aggregate health-related datasets.

In summary, you are not a covered entity unless you are a health plan, a health care clearinghouse, or a qualifying provider engaged in standard electronic transactions. If you handle PHI for a covered entity, you may be a business associate and need a Business Associate Agreement. Otherwise, plan for applicable consumer protection, breach notification, and state privacy rules to govern your operations.

FAQs

Who qualifies as a covered entity under HIPAA?

Covered entities are health plans, Health Care Clearinghouses, and health care providers who transmit health information electronically in standard transactions. These entities must follow the HIPAA Privacy Rule and HIPAA Security Rule for PHI and Electronic Protected Health Information.

What distinguishes a business associate from a covered entity?

A covered entity is directly regulated as a health plan, clearinghouse, or qualifying provider. A business associate is any vendor or partner that performs services for a covered entity involving PHI; it becomes subject to HIPAA through Business Associate Agreements and must implement appropriate safeguards and breach reporting.

Are employers considered covered entities under HIPAA?

No. Employers acting as employers are not covered entities. However, a self-insured or fully insured group health plan the employer sponsors is a covered entity, and PHI shared with that plan is protected. Employment records maintained by the employer are not PHI.

How does HIPAA apply to educational institutions?

Most student health records maintained by schools are education records governed by FERPA, not HIPAA. If a school operates a clinical unit that conducts standard electronic transactions, that health care component may be covered, often within a hybrid entity structure.